Original URL: http://www.theregister.co.uk/2011/05/17/vmware_project_horizon_launch/

VMware boots up Horizon cloudy app manager

One app to bind them all

By Timothy Prickett Morgan

Posted in Cloud, 17th May 2011 12:00 GMT

IT managers don't dislike apps, cloud computing, or virtualization, but they need to rein them in and make employees use them in consistent, secure, and responsible ways. And that is what VMware's "Project Horizon" App Manager is all about.

"The operating system becomes less and less relevant," Noah Wasmer, director of advanced development at VMware and the person who spearheaded the development of the Horizon App Manager, tells El Reg.

Not that we won't use operating systems. Of course we will. And, in fact, we will be using many different operating systems to run our applications. It is just that we will no longer let ourselves be defined and limited by the primary operating system that happens to run on our work PC. And not because we have a grudge against Microsoft Windows, but because our applications are no longer just limited to code we installed on our PCs to run locally.

For the first time in many decades, your desktop – both the physical one and the abstract one encapsulated in your PC – is not necessarily the place where you do all of your work. But no matter where you are and no matter what device you happen to have at hand – PC, netbook, smartphone, tablet – you want to be able to get work done.

And in many cases, you have locally running applications, cloud-based applications (Salesforce.com, NetSuite, Workday, Facebook, and so on), and still other applications that are running on corporate servers somewhere behind the firewall that are streamed down to your thin client or PC using various virtual desktop infrastructure (VDI) tools.

The goal of the Horizon App Manager, which has been in development for about eighteen months, is to stitch together all of the different applications we use into a new kind of workspace that shifts with the devices we access them from, and yet gives the IT department a consistent and controlled means of letting us subscribe to applications and run them from PCs, tablets, and smartphones.

Here's the conceptual image of Project Horizon, which as you can see puts VMware at the center of everything you do:

VMware's Project Horizon plan

VMware's Project Horizon App Manager: One ring to bind them all

The Horizon App Manager that launches on Tuesday is not complete, but VMware wanted to start selling it even before it can do all of the functions the company envisions for the service.

The first rev of the Horizon App Manager, which does not have a release number and which is actually sold as a SaaS application, manages access to cloudy applications and presents them in a catalog – the corporate analog to an iTunes store. This is a metaphor that consumers are comfortable with, and this online-store approach is the way workers within the corporation increasingly want to consume applications.

Rather than come up with its own alternative to Active Directory and other LDAP servers that do authentication of user names and passwords to gain access to files and applications on corporate networks,

Project Horizon leverages these installed LDAP servers to create a single sign-on for cloud-based applications. "The LDAP server stays inside the corporate firewall, where it belongs," explains Wasmer, adding that the LDAP server will very likely be the very last server that any company lets go of, since it controls access to applications and data.

Horizon App Manager doesn't just plug into LDAP, it leverages the directory servers to create predefined user- and group-based application entitlements. So if an end user is added to a group – such as the accounting department – then the Horizon App Manager's unified app catalog automatically shows what applications she can use, and access is automatically set up and ready to go. The app catalog also has real-time app usage tracking, which shows who is working out on the public cloud and what they're doing.

At the moment, Horizon App Manager can only do provisioning on Google Apps, but with subsequent releases of the Horizon service, VMware will add others.

Eventually, the Horizon App Manager will also be used to authenticate users on VMware's Cloud Foundry platform cloud.

And over the long haul, says Wasmer, VMware will weave its ThinApp application-streaming middleware into the Horizon App Manager, and the applications running on VMware View VDI-style PCs, as well as the PC images themselves, will eventually be accessible through the same catalog interface.

Because VMware knows that people use a mix of application provisioning and VDI solutions, Microsoft's App-V and Citrix Systems' XenDesktop tools will eventually be linked into the Horizon App Manager so applications could be published to user accounts on various devices, although Wasmer was not at liberty to discuss timetables for when this support would be delivered.

One of the secret sauces in Project Horizon, says Wasmer, is the code that VMware got through its acquisition of TriCipher last August – on the same day that Project Horizon made its debut, in fact.

TriCipher created a triple-key cipher, single sign-on tool that was popular with the financial services industry because it does not pass user names and passwords outside of the firewall. TriCipher was delivering this access control as a service to banks, and VMware saw that it was a key missing piece in its Project Horizon plans. So it scarfed it up.

The initial incarnation of the Horizon App Manager only delivers catalog and authentication services for cloud applications. Wasmer says that around 50 applications out there on the intertubes adhere to the Security Assertion Markup Language (SAML) variant of XML for authentication that Project Horizon prefers, and these plug right into the app manager.

SAML keeps passwords inside the corporate firewall as authentication is done for applications outside the firewall, and so phishing is not very fruitful. Google, Salesforce.com, Cisco Systems, and others are behind the SAML standard.

If an application does not yet support SAML, the Horizon App Manager's enterprise connector, which runs inside an ESXi virtual machine inside the corporate firewall and is hooked into the LDAP/AD server, can provide access through a secure form post method.

VMware has identified thousands of such applications, and until they support SAML, Horizon needs to do something to give them access. User names and passwords for each user are stored in the Horizon ID vault, which does the authentication.

The app manager doesn't just keep track of access to applications, but also licensing, and it knows how to harvest back a license if you are not using it. For example, system admins could set a rule that if you subscribe to an app and you don't use it in 90 days, your app is revoked and that license is then available to another user. The provisioning portions of the App Manager can do annual, monthly, or perpetual licenses as well as concurrent or numbered user licensing.

The Horizon App Manager itself is written in Java using VMware's Spring framework; the tool's user interface is based on a mix of HTML, CSS, and Ajax. The Horizon browser platform, from which applications are launched, is accessible in Internet Explorer 7 or higher, Firefox 3.5 or higher, or Safari 5.

The plan is to do a new release every month to add new functionality, but with the goal of letting customers pick what level of functionality – bleeding edge or a few releases back – that they want to use, much as Google Apps does.

Horizon App Manager has been in beta testing for the past four months at around 40 customers, says Wasmer. The tool is available now to select early access customers in North America and in the Asia/Pacific region. VMware plans to start trials in other regions, with volume shipments later this year. The app manager service costs $30 per user per year. ®